Joseph James O'Connor, also known as the Twitter hacker "PlugwalkJoe," has been sentenced to five years in federal prison for his involvement in the historic 2020 Twitter breach and other cybercriminal activities, per a news release from the U.S. Attorney's Office in the Northern District of California. The 24-year-old UK citizen was extradited from Spain in April 2023 to face the charges brought against him.
Me watching my $30,000 in bitcoin drop pic.twitter.com/4iOdA9uxm7— Joseph "plugwalkjoe" O'Connor (@plugwalkoconnor) December 11, 2018
The Twitter hack in July 2020 saw more than 130 high-profile accounts being compromised, including those of Barack Obama, Joe Biden, Elon Musk, and major brands such as Apple and Uber. O'Connor and his accomplices were responsible for generating tweets from these accounts asking followers to send Bitcoin to an account, with promises to double their money. As a result of this scam, millions of Twitter users viewed suspicious tweets, and thousands were duped into believing a crypto giveaway was genuine.
After pleading guilty to hacking charges in May 2023, O'Connor received his sentence on June 23, 2023, from a Southern District of New York U.S. District Judge, who also ordered him to pay $794,012.64 in forfeiture, according to the United States Attorney's Office. In addition to the Twitter hack, O'Connor admitted to other hacking crimes that included gaining unauthorized access to a high-profile TikTok account and stalking a minor.
List of hacked high-profile Twitter accounts:— The Hacker News (@TheHackersNews) July 16, 2020
- Jeff Bezos
- Elon Musk
- Warren Buffett
- Barack Obama
- Michael Bloomberg
- Kanye West
- Wiz Khalifa
- Justin Sun
- Charlee Lee
During the hearing, Judge Jed S. Rakoff stated that O'Connor would likely serve about half of his sentence after more than two years in pre-trial custody. Although he faced a maximum of 77 years in prison, Reuters reported that Justice Department prosecutors called for the British hacker to serve at least seven years behind bars. Apologizing to his victims and asking for leniency, O'Connor admitted in court that his crimes were "stupid and pointless."
According to prosecutors, O'Connor and his co-conspirators used sophisticated phone-based social engineering techniques to trick Twitter employees into granting them access to the platform's network. This allowed the group to obtain Twitter's internal administrative tools, which they in turn used to hijack and reassign user accounts. One of O'Connor's fellow hackers, Graham Ivan Clark, who also known as Kirk, previously pleaded guilty to his role in the Twitter breach and was sentenced in 2021, as BBC reported.
As a result of the breach, the New York Department of Financial Services accused Twitter of inadequate cybersecurity protections. An investigation into the incident revealed that the hackers managed to infiltrate Twitter's systems by posing as employees from the IT department and convincing real employees to hand over their login details. Following the breach, Twitter implemented several cybersecurity enhancements to prevent future phishing attempts, such as introducing hardware security keys for its employees.
In September 2022, more details emerged about the scale of the hackers' access to Twitter's internal systems. Peiter "Mudge" Zatko, who was hired as Twitter's head of security months after the breach, referred to the hackers' level of access as achieving "god mode" in a whistleblower complaint filed with federal regulators. In the complaint, Zatko accused Twitter of failing to adopt proper cybersecurity measures and called the incident "the largest hack of a social media platform in history."
The sentencing of Joseph O'Connor serves as a notable development in the ongoing efforts to bring cybercriminals to justice, showcasing how cooperation between international law enforcement agencies can successfully track down and punish those who misuse technological expertise for malicious purposes.